mace-opensaml-users - RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?
Subject: OpenSAML user discussion
List archive
RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?
Chronological Thread
- From: "Cantor, Scott E." <>
- To: "" <>
- Subject: RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?
- Date: Thu, 28 Apr 2011 15:12:34 +0000
- Accept-language: en-US
> Thanks Paul and Scott for your response. I thought that
> signatureValidator.validate(signature) handles everything. By the way, do
> you have any recommendation on dealing with trust management? For example,
> whatkind of items do I need to check except expiration date?
This is an extremely complex problem, there are no simple "just check this"
answers. If you wanted to use PKIX, then you *need* to do PKIX. That's far
more than just checking a date. You have to do path validation, possibly
check various extensions, implement a revocation strategy, etc. You also need
a mechanism to bind certificate DNs to SAML issuers.
Or you can implement solutions based on SAML metadata to exchange key
material. There is a standard for this, implemented at some level of the code
base, possibly only in Shibboleth.
http://wiki.oasis-open.org/security/SAML2MetadataIOP
See also:
https://wiki.shibboleth.net/confluence/display/SHIB2/TrustManagement
-- Scott
- [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Gina Choi, 04/28/2011
- Re: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Paul Hethmon, 04/28/2011
- RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Cantor, Scott E., 04/28/2011
- RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Gina Choi, 04/28/2011
- Re: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Paul Hethmon, 04/28/2011
- RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Cantor, Scott E., 04/28/2011
- Re: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Brent Putman, 04/28/2011
- RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Gina Choi, 04/28/2011
- RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Cantor, Scott E., 04/28/2011
- RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Gina Choi, 04/28/2011
- Re: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Michael Kjorling, 04/29/2011
- RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Cantor, Scott E., 04/28/2011
- RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Gina Choi, 04/28/2011
- RE: [OpenSAML] How to validate signing certificate of the SAML token in the relaying party?, Gina Choi, 04/28/2011
Archive powered by MHonArc 2.6.16.